Summary
src/public/FormHandler.js inserts heading and message values directly into HTML without escaping, which can lead to cross-site scripting (XSS).
Location
Around lines 745 and 756:
html += '<p class="wpf_alert_heading">' + heading + '</p>';
html += '<li>' + message + '</li>';
Impact
If heading or message contains HTML metacharacters (e.g. <script> tags), they will be interpreted as HTML rather than displayed as text.
Suggested Fix
Escape HTML entities before inserting into the DOM:
function escapeHtml(str) {
const div = document.createElement('div');
div.appendChild(document.createTextNode(str));
return div.innerHTML;
}Then use escapeHtml(heading) and escapeHtml(message) in place of the raw values.
Reference
Identified by GitHub CodeQL code scanning (rule: DOM text reinterpreted as HTML, severity: high).
Summary
src/public/FormHandler.jsinsertsheadingandmessagevalues directly into HTML without escaping, which can lead to cross-site scripting (XSS).Location
Around lines 745 and 756:
Impact
If
headingormessagecontains HTML metacharacters (e.g.<script>tags), they will be interpreted as HTML rather than displayed as text.Suggested Fix
Escape HTML entities before inserting into the DOM:
Then use
escapeHtml(heading)andescapeHtml(message)in place of the raw values.Reference
Identified by GitHub CodeQL code scanning (rule: DOM text reinterpreted as HTML, severity: high).